ScreenShot
| Created | 2023.12.14 18:50 | Machine | s1_win7_x6401 |
| Filename | fol4.exe | ||
| Type | PE32+ executable (console) x86-64, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 35 detected (AIDetectMalware, malicious, high confidence, score, unsafe, Save, GenericKD, Attribute, HighConfidence, Kryptik, Havoc, mqaaRRIgwpQ, zjwaj, Detected, ScarletFlash, 77F24P, ABRisk, KHXR, Chgt, R002H0DLD23, FalseSign, Vdkl, Static AI, Malicious PE, confidence, 100%) | ||
| md5 | 16d69d752dfb1211e0e67596d59caca1 | ||
| sha256 | 8c0be5f83ceabd02114ffe1eacfe59ef011bc09fe08a4eb22c6cc14fbd80bce7 | ||
| ssdeep | 6144:qPK11eSPZUfxfEYpeHSybVVmAyS+EKnkG2Rut2GKVu3iE5HyTivqmogOKw1eo1:qm1DZUfxfEYp0SviMk1IohJPWlBE1 | ||
| imphash | 5295d583c9853102cc64559e29002d53 | ||
| impfuzzy | 24:QTF8078p8dYJgfSlDqcVK0MG95XG66ZykoDqoZn:wn8pvGfzcVhRJG6wykoqE | ||
Network IP location
Signature (7cnts)
| Level | Description |
|---|---|
| danger | Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | File has been identified by 35 AntiVirus engines on VirusTotal as malicious |
| watch | Communicates with host for which no DNS query was performed |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | One or more potentially interesting buffers were extracted |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
Rules (4cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
PE API
IAT(Import Address Table) Library
ADVAPI32.dll
0x1400211f0 CryptAcquireContextW
0x1400211f8 CryptCreateHash
0x140021200 CryptDecrypt
0x140021208 CryptDeriveKey
0x140021210 CryptDestroyHash
0x140021218 CryptDestroyKey
0x140021220 CryptHashData
0x140021228 CryptReleaseContext
KERNEL32.dll
0x140021238 DeleteCriticalSection
0x140021240 EnterCriticalSection
0x140021248 FreeConsole
0x140021250 GetCurrentProcess
0x140021258 GetLastError
0x140021260 GetModuleHandleA
0x140021268 GetProcAddress
0x140021270 GetStartupInfoA
0x140021278 InitializeCriticalSection
0x140021280 LeaveCriticalSection
0x140021288 SetUnhandledExceptionFilter
0x140021290 Sleep
0x140021298 TlsGetValue
0x1400212a0 VirtualProtect
0x1400212a8 VirtualQuery
msvcrt.dll
0x1400212b8 __C_specific_handler
0x1400212c0 __getmainargs
0x1400212c8 __initenv
0x1400212d0 __iob_func
0x1400212d8 __lconv_init
0x1400212e0 __set_app_type
0x1400212e8 __setusermatherr
0x1400212f0 _acmdln
0x1400212f8 _amsg_exit
0x140021300 _cexit
0x140021308 _commode
0x140021310 _fmode
0x140021318 _initterm
0x140021320 _onexit
0x140021328 abort
0x140021330 calloc
0x140021338 exit
0x140021340 fprintf
0x140021348 free
0x140021350 fwrite
0x140021358 malloc
0x140021360 memcpy
0x140021368 signal
0x140021370 strlen
0x140021378 strncmp
0x140021380 vfprintf
EAT(Export Address Table) is none
ADVAPI32.dll
0x1400211f0 CryptAcquireContextW
0x1400211f8 CryptCreateHash
0x140021200 CryptDecrypt
0x140021208 CryptDeriveKey
0x140021210 CryptDestroyHash
0x140021218 CryptDestroyKey
0x140021220 CryptHashData
0x140021228 CryptReleaseContext
KERNEL32.dll
0x140021238 DeleteCriticalSection
0x140021240 EnterCriticalSection
0x140021248 FreeConsole
0x140021250 GetCurrentProcess
0x140021258 GetLastError
0x140021260 GetModuleHandleA
0x140021268 GetProcAddress
0x140021270 GetStartupInfoA
0x140021278 InitializeCriticalSection
0x140021280 LeaveCriticalSection
0x140021288 SetUnhandledExceptionFilter
0x140021290 Sleep
0x140021298 TlsGetValue
0x1400212a0 VirtualProtect
0x1400212a8 VirtualQuery
msvcrt.dll
0x1400212b8 __C_specific_handler
0x1400212c0 __getmainargs
0x1400212c8 __initenv
0x1400212d0 __iob_func
0x1400212d8 __lconv_init
0x1400212e0 __set_app_type
0x1400212e8 __setusermatherr
0x1400212f0 _acmdln
0x1400212f8 _amsg_exit
0x140021300 _cexit
0x140021308 _commode
0x140021310 _fmode
0x140021318 _initterm
0x140021320 _onexit
0x140021328 abort
0x140021330 calloc
0x140021338 exit
0x140021340 fprintf
0x140021348 free
0x140021350 fwrite
0x140021358 malloc
0x140021360 memcpy
0x140021368 signal
0x140021370 strlen
0x140021378 strncmp
0x140021380 vfprintf
EAT(Export Address Table) is none